CCPA or the California Consumer Privacy Act came into effect on 1-January-2020. It is one of the first acts of this kind in the United States of america. CCPA is data privacy law regulated statewide in california. This law regulates how companies or firms around the world handle PI (Personal Information) of california locals.
Who does CCPA apply to?
CCPA law is applicable to any company or firm, whose annual gross profit is more than 25 million dollars or receives, processes, or transfers data from over 50,000 Californians annually or minimum 50% of annual revenue comes from selling Californians PI (Personal Information).
What are the user rights under CCPA?
According to the CCPA, Californians are permitted with few important rights. Californians have the Right to know, Right to delete, Right to non descrimination, and Right to opt-out.
What is Data Mapping?
Connecting a data field from one source to another data field in
another source is Data Mapping. Data Mapping minimizes the possible errors, it helps
making data systemized, It even helps tally the data.
The company should know the information that is being collected, then map the flow of data, and create an inventory. Lastly, have a method to classify the collected information.
Any customer information that identifies, describes, relates to, is
linked to, or could be related to, direct or indirect, to a customer or their
household is defined as PI(Personal Information).
According to the CCPA, data doesn’t have to be directly related to an individual for it to qualify as personal information. Personal data may also include information linked to a household or an individual’s device.
Inform consumers of your intentions at or before the point of data collection.
Should be available in the languages in which your business provides information in California.
Make the information be available in either a banner
or pop-up for when the user visits your site
(consider using CMP).
Give an option for the user to Opt-Out(“Do Not Sell”)
Update the information and 'effective date' of the policy every 12 months.
Ensure the date of the last update is clearly visible.
List all the categories of personal information your business has sold in the past 12 months.
An option to OPT OUT
Customers need to have an option to opt out. This has to be easily accessible to the customers.
Include a “Do Not Sell”- Link (Opt-Out) easily available on your homepage (use Consent Management Platform)
Minors : Obtain explicit consent (opt-in) from parents or legal guardians before processing minors’ between the ages of 13 and 16 personal data.
Ask for opt-in again, only 12 months after the consumer has opted-out.
Consumer Rights Requests
Every Californian has the right to object in selling their PI (Personal Information) to any third party. Additionally if a consumer had denied or objected in selling their data, the company cannot ask the customer to consent again for next 12 months from the date of objection.
Let us see how a company can provide Consumer Rights Requests.
A System has to be setup to submit Consumer Rights Request - Provide at least two contact options e.g. toll-free phone number,webform, Email
Enable consumers to attach evidence when submitting a request to verify their identity and proof of residency.
Set up a system: to verify such requests.
In the case your business cannot reasonably verify the identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified.
Keep records of all requests and your business responses for 2 years.
Response Time - Standard Period: within 45 days, Extend Period: up to 90 days
To fulfil the CCPA regulation, the security team needs to work closely with the database administering team, and a high level data security needs to be provided to the customers. Let us see how a company can achieve this.
Contact us to know more about how Techpearl experts can develop software products which satisfies the regulations of California Consumer Privacy Act.